域前置
准备工作
在 VPS 上安装必要的组件:
apt-get install nginx apache2 python3-certbot-apache编辑 apache 的配置文件,通过以下命令确认端口 80 配置了VHOST:
apachectl -t -D DUMP_VHOSTS
使用 certbot 工具申请 LetsEncrypt 证书
certbot certonly -d <域名> --apache --register-unsafely-without-email --agree-toroot@ts:/etc/apache2/sites-available# certbot certonly -d azuresky.live --apache --register-unsafely-without-email --agree-to
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for azuresky.live
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/azuresky.live/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/azuresky.live/privkey.pem
Your cert will expire on 2023-12-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le域前置理论
使用Azure CDN实现域前置
Register-AzResourceProvider -ProviderNamespace Microsoft.Cdn
ajax.microsoft.com
ajax.aspnetcdn.com
do.skype.com
msdn.microsoft.com
az416426.vo.msecnd.net
officeimg.vo.msecnd.net
编辑 /etc/nginx/nginx.cnf 文件,增加侧写中的 URI,以及设置基于 UA 的筛选:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssl_certificate /etc/letsencrypt/live/azuresky.live/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/azuresky.live/privkey.pem;
location ~ ^/(index.html|content.php|api/azure|static/index.html|jquery-3.3.1.slim.min.js|jquery-3.3.2.slim.min.js|jquery-3.3.1.min.js|jquery-3.3.2.min.js) {
if ($http_user_agent != "dlerinfra") {
return 403;
}
proxy_pass https://localhost:10443;
}
}
}